• How it works
  • Why Locari
  • WhatsApp
  • Pricing
  • FAQ
Log inStart for free
  • How it works
  • Why Locari
  • WhatsApp
  • Pricing
  • FAQ
Start for freeLog in
Help›Data Protection — Overview›GDPR Compliance

Data Protection — Overview

GDPR Compliance

Legal bases, the data protection authorities' three-phase model, and data subject rights — how Locari implements GDPR concretely in the rental process.

Locari is built so you, as a landlord, can comply with GDPR without being a data protection expert. Consent, data minimization, and data subject rights are integrated directly into the rental workflow.

What Locari does automatically: send consent emails (Art. 7), provide data protection notices at first contact (Art. 13), only request sensitive criteria in the appropriate phase, delete applicant data automatically after completion. What you decide: whether to withdraw a consent manually, whether to delete applicant data early, which privacy policy is linked in the application form.

Common Tasks

  • Look up the legal basis for my processing
  • Understand data minimization under the three-phase model
  • Fulfill a data subject right — access, deletion, rectification
  • Understand retention and automatic deletion
  • Understand the data processing relationship
  • Pre-launch checklist

How To

Handle a deletion request (Art. 17)

  1. Applicant requests deletion via the withdrawal link or in writing.
  2. Is the process still active? Then inform the applicant first — they can withdraw their application themselves at any time via the withdrawal link.
  3. After completion: remove via Delete data in the rental case > Consents tab. Deletion runs immediately and completely.

What happens on withdrawal: the applicant clicks the withdrawal link — Locari then deletes all applicant data automatically and sends a confirmation email. What you decide: whether to proactively remove an applicant via Delete data before they withdraw themselves.

Legal Bases

Locari supports the GDPR legal bases relevant to the rental process:

  • Art. 6(1)(f) — Legitimate interest: first contact and communication as part of viewing interest (Phase A).
  • Art. 6(1)(b) — Pre-contractual measures: reviewing a potential tenant selection and preparing the lease (Phases B and C).
  • Art. 6(1)(a) — Consent / Art. 22 — Automated decision-making: for AI-assisted profile evaluation, Locari obtains the applicant's explicit consent before any evaluation.

Three-Phase Model

The German data protection authorities (DSK) set out a three-phase model for requesting data from prospective tenants in their guidance of 24 Jan 2024. Core principle: data minimization per phase — you only request what the current phase requires.

  • Phase A — Viewing interest: name, email, phone, rough household size only.
  • Phase B — Rental interest (after viewing): plus occupation, rough income (self-declaration), pets, freedom from rent debt.
  • Phase C — Shortlist: plus income proof (3 months), credit report (SCHUFA), redacted ID copy.

Locari applies this in your listing's criteria selection: sensitive criteria are assigned a minimum phase, and Locari warns you if you would request Phase C data too early. More under Applicant Criteria.

Data Subject Rights

Right of Access (Art. 15) and Data Portability (Art. 20)

If an applicant asks what data is stored, you, as the controller, provide the information. All applicant data is held in a structured form in the applicant profile.

Right to Rectification (Art. 16)

Correct incorrect data directly in the applicant profile; the change is documented in the history.

Right to Erasure (Art. 17)

After the process ends, applicant data is deleted automatically once the retention period expires. On request, delete immediately via Delete data in the rental case.

Right to Withdraw and Object (Art. 7(3) / Art. 21)

The withdrawal link in every consent email is permanently valid and never expires — Locari implements a withdrawal immediately and deletes the applicant data.

Retention Periods

During the Process

Applicant data is stored while the process is active.

After Completion

Once a rental case is completed, Locari schedules automatic deletion of the applicant data after 180 days (evidence preservation under German anti-discrimination law, AGG). This period is fixed; you don't configure anything.

On Withdrawal, Decline, or Expiry

If an applicant withdraws, declines, or does not respond (expiry after 10 days), Locari deletes the applicant data immediately. More under Data Deletion.

Separately, you as a landlord may be subject to your own statutory retention obligations (e.g. tax or commercial law for contract documents). Those concern the signed lease, not the application data of rejected prospects.

Technical Measures

Encryption and Servers

  • Encrypted connections (TLS) and encrypted storage
  • Server location EU (Stockholm) — no data transfer outside the EU

Access

  • Access only for the members of your workspace
  • Transparent email confirmation when logging in from a new device (one code by email, no extra setup)

Data Processing Agreement

For processing applicant data, Locari (Ametis Digital GmbH) acts as a data processor (Art. 28 GDPR) — you, as the landlord, remain the controller.

If you choose your own privacy policy (URL or PDF) for the listing instead of the Locari template, Locari shows a ready-made data-processing clause in the Consents tab that you can copy with one click and include in your own policy.

Checklist for Landlords

  • [ ] Privacy policy chosen for your listing (Locari template or your own URL/PDF)
  • [ ] If using your own policy: data-processing clause included
  • [ ] Applicant criteria configured per the three-phase model (no Phase C data too early)
  • [ ] Team informed about the data protection workflow

Related Pages

  • Data Protection — Overview
  • Manage Consent
  • Data Deletion and Periods
  • Applicant Details
Was this helpful?

Still have questions?

Contact us

Your personal letting assistant. Locari does the work — you decide.

More info in our Privacy Policy.

Product

  • How it works
  • Artificial intelligence
  • Control via WhatsApp
  • Security
  • Pricing

Company

  • About
  • Why Locari
  • Anti-profiling
  • Changelog
  • Careers
  • Press

Legal

  • Trust Center
  • Privacy Policy
  • Cookie Policy
  • Withdrawal & cancellation
  • Report illegal content
  • Imprint

Contact

  • Get in touch
  • Support & help
  • FAQ
  • Data protection
© Locari. A service by Ametis Digital GmbH.